|
I'm pretty sure (according to a quick googling) that Samba supports DFS or similar. So I'd even take it further and go \\domain.here\namespacehere\stuff - that way down the road you can replace the server(s) underneath the shares and nobody is the wiser, no shortcuts to update or anything. You can keep the letter maps if you need to.
|
#
?
Jan 20, 2015 20:41
|
|
|
|
| # ? May 13, 2024 22:23 |
|
|
People posting ITT not knowing about Access Based Enumeration
Gyshall fucked around with this message at 14:33 on Jan 22, 2015 |
|
#
?
Jan 20, 2015 20:52
|
|
|
Single root dfs namespace with access based enumeration backed by a good HA cluster is the poo poo, map one drive letter and you're done. Keep good _FA and _RO groups per folder and granting access is a 10 second AD lookup. The trick is the effort required to get there if you're spread across lots of servers, shares, etc.
|
|
#
?
Jan 20, 2015 21:53
|
|
|
Does anyone know why a subset of machines would have trouble updating their dynamic dns in a windows environment? Just out of the blue we've had 20 or so machines (all out of a batch of 60 that have been imaged in the last couple months) stopping to update, and their record goes stale and gets scavenged. They're getting dhcp addresses properly, and every other machine is working as normal. Only places I can think to look are the dns and dhcp logs on the clients/servers, but according to them everything is ok.
|
|
#
?
Jan 20, 2015 22:15
|
|
|
Orcs and Ostriches posted:Does anyone know why a subset of machines would have trouble updating their dynamic dns in a windows environment? Just out of the blue we've had 20 or so machines (all out of a batch of 60 that have been imaged in the last couple months) stopping to update, and their record goes stale and gets scavenged. They're getting dhcp addresses properly, and every other machine is working as normal. What happens if you do an ipconfig /registerdns ? Any error on the client machine? It would be in the event log somewhere "unable to update blah blah dns blah blah" My gut says this is a permission issue based on some sort of failure of the computer account to authenticate to AD and update it's own DDNS record. Either something is preventing it, or it doesn't have the permissions. Double check your DHCP server options, make sure everything in there is setup properly regarding the registration of dns records. How do you image your machines? Do you use Sysprep or some other SID modifier?
|
|
#
?
Jan 20, 2015 22:23
|
|
|
skipdogg posted:What happens if you do an ipconfig /registerdns ? Any error on the client machine? It would be in the event log somewhere "unable to update blah blah dns blah blah" ipconfig /registerdns eventually returns The DNS server's response to a query for name COMPUTER.DOMAIN indicates that no records of the type queried are available, but could indicate that other records for the same name are present. in the DNS Client Event log Everything's sysprepped, and there are 90 other machines using the same image, so I think that should be safe. And as far as I can tell, DHCP is still set up right. It only ever gets touched for updates, so the configuration shouldn't have changed. I agree that it feels like an AD authentication issue. The problem arose when the computers in question all failed logins with The trust relationship between this workstation and the primary domain failed. After closer inspection, AD accounts were never created for these computers when they joined the domain. Rejoining doesn't help, nor does rejoining with a precreated account. Strangely, it appears valid from the client's side, and we can successfully log into domain accounts for the day. I actually sysprepped one of the machines again, and tried the process from scratch, with no success. I figured that it was a DNS issue, because the records weren't being created, but in second thought it seems like it's an AD issue first, which is also causing the DNS issue.
|
|
#
?
Jan 20, 2015 22:33
|
|
|
Orcs and Ostriches posted:The trust relationship between this workstation and the primary domain failed. I was afraid of that. Usually force removing the client from the domain, deleting the computer object and DNS records in AD, then rejoining the domain fixes it. Something is jacked up
|
|
#
?
Jan 20, 2015 23:52
|
|
|
skipdogg posted:I was afraid of that. Usually force removing the client from the domain, deleting the computer object and DNS records in AD, then rejoining the domain fixes it. Do this instead first: code:
|
|
#
?
Jan 20, 2015 23:57
|
|
|
Any idea why Spiceworks gives me a total list of PCs that I have access to via the DC, but Windows Active Directory Administrative Center is giving me an entirely different list of PCs that is only about 5% complete?
|
|
#
?
Jan 21, 2015 16:43
|
|
|
e: eh, exchange so taking it to the exchange thread.
|
|
#
?
Jan 21, 2015 16:53
|
|
|
Going to move this to CoC once I get my thoughts together and look at this some more.
MF_James fucked around with this message at 22:46 on Jan 21, 2015 |
|
#
?
Jan 21, 2015 21:11
|
|
|
Couldn't you make this two steps? Export the name of all the objects in a OU to a .csv such as ou1.csv then have ps read ou1.csv and move those objects?
|
|
#
?
Jan 21, 2015 21:18
|
|
|
Tab8715 posted:Couldn't you make this two steps? Export the name of all the objects in a OU to a .csv such as ou1.csv then have ps read ou1.csv and move those objects? But it won't know which OU to move them to? We are going from 8 OUs to 22 OUs, the current OU structure and what objects are in them isn't going to matter or help with the structure we're going to. Actually our current structure.. now that i think about it, is 9 OUs, 1 OU has 2200 objects, 6 of them have 300 or so in each and the last 2 have the rest. Unless I misunderstood what you were saying.
|
|
#
?
Jan 21, 2015 21:26
|
|
|
There's a powershell thread in CoC that is really useful http://forums.somethingawful.com/showthread.php?threadid=3286440 This may not be the best way to do it, but I would add a column to your CSV that has the target OU in it, move the $targetOU variable into the for each loop then do something like this code:You already have 22 files, each one of those is for it's own OU right?
|
|
#
?
Jan 21, 2015 21:28
|
|
|
skipdogg posted:There's a powershell thread in CoC that is really useful Yes, 22 files each represents an OU we are creating, the files contain only location name though, we have 2 objects per location (HOST000001 and GUEST000001) and the file is setup as 0000001, 0000002, 000003, etc Also, thanks I didn't realize there was a PS thread in CoC (I honestly didn't even think about it)
|
|
#
?
Jan 21, 2015 21:36
|
|
|
Gyshall posted:People posting ITT not knowing about [url=http://technet.microsoft.com/en-us/library/dd772681%28v=ws.10%29.aspx]Access Based Enumeration[/spoiler] So, I know what I'm setting up the second I walk in the office tomorrow. Thanks for that nugget.
|
|
#
?
Jan 22, 2015 04:37
|
|
|
Is there a way in SCCM 2012 to make a package and deployment use a specific distribution point? I setup a secondary dp and uploaded the content and when I deployed the software update package it seemed to still be going over our VPN to the primary site. I thought it would just automatically take the content from the closest dp but I guess not. I get so frustrated working with SCCM. I'm trying to educate myself on it as much as I can but without work scheduling class time due to how busy we are I'm left to books and blogs which have only taken me so far.
|
|
#
?
Jan 22, 2015 22:22
|
|
|
BaseballPCHiker posted:Is there a way in SCCM 2012 to make a package and deployment use a specific distribution point? I setup a secondary dp and uploaded the content and when I deployed the software update package it seemed to still be going over our VPN to the primary site. I thought it would just automatically take the content from the closest dp but I guess not. Content location is dependent on the boundary group that the DP is assigned to and the which Boundary Group the client falls into at the time. Plus add in the ability to fall back to another DP if the content is not available within the current boundary group. What we do for boundary groups on our engagements is to create "Site Assignment" boundary groups that are used only for assigning clients to the correct site. Secondly we setup "Content Boundary Groups" that are used expressly for directing clients to the appropriate DP for their location.
|
|
#
?
Jan 22, 2015 22:39
|
|
|
Zaepho posted:Content location is dependent on the boundary group that the DP is assigned to and the which Boundary Group the client falls into at the time. Plus add in the ability to fall back to another DP if the content is not available within the current boundary group. Thanks for the tip. Gives me something to look into. Do you have any general books or sites to recommend? I've been reading the windows-noob forum guides, the deploy-happiness blog, and bought the System Center mastering the fundamentals book as well.
|
|
#
?
Jan 22, 2015 23:06
|
|
|
skipdogg posted:There's a powershell thread in CoC that is really useful Welp, add that to the OP, I could have used that over the last 18 months for sure.
|
|
#
?
Jan 22, 2015 23:09
|
|
|
BaseballPCHiker posted:Thanks for the tip. Gives me something to look into. Do you have any general books or sites to recommend? I've been reading the windows-noob forum guides, the deploy-happiness blog, and bought the System Center mastering the fundamentals book as well. I haven't found books to be very useful for learning about SCCM. All the good stuff is on various SCCM blogs. A book might be useful for getting a good understanding of all the parts though, so there could be some value there. For specific issues though it's always been a google search to some guys blog for the answer.
|
|
#
?
Jan 22, 2015 23:13
|
|
|
Hadlock posted:Welp, add that to the OP, I could have used that over the last 18 months for sure. I just did that, for whatever pathetic excuse of an OP it is. Also holy poo poo I started this thread nearly 5 years ago. Back then I was starting from nothing with a blank SCCM 2007 install, and I just started a job running an SCCM instance that manages over 25k computers.
|
|
#
?
Jan 22, 2015 23:32
|
|
|
BaseballPCHiker posted:Thanks for the tip. Gives me something to look into. Do you have any general books or sites to recommend? I've been reading the windows-noob forum guides, the deploy-happiness blog, and bought the System Center mastering the fundamentals book as well. ConfigMgrDogs is a pretty great blog to follow. They cover a lot of the obscure stuff and automating with PowerShell. A recent post had a script that provides a SCCM plugin for PowerShell ISE that I can't live without now. You can also check out Channel 9 and do a search for SCCM TechEd conferences.
|
|
#
?
Jan 23, 2015 00:45
|
|
|
Server 2012 R2 RDP certificate. Why the gently caress did MS remove the RD Host Configuration tool? Is the only way to set a certificate on a workgroup machine like this: code:
|
|
#
?
Jan 23, 2015 01:28
|
|
|
BaseballPCHiker posted:Thanks for the tip. Gives me something to look into. Do you have any general books or sites to recommend? I've been reading the windows-noob forum guides, the deploy-happiness blog, and bought the System Center mastering the fundamentals book as well. I would echo what the others have said and add on that the MyITForum community is a great resource for SCCM. Its your best link to pretty much every SCCM MVP out there. Try to make it out to Ignite and see if you can network your way into chatting with some of the SCCM Community big names and you'll get a LOT of information that you'll never get from any book or training class. SCCM is a tool you just have to work with and eventually it will click and things will start to make more sense. Unfortunately there's a lot of stuff to understand at the foundation level to be able to make the most of SCCM so it'll take some time.
|
|
#
?
Jan 23, 2015 15:23
|
|
|
I am getting my butt kicked by a print server. I've got sever2012r2, I'm trying to deploy a printer in group policy and it just doesn't show up on the target computer. Group policy modeling shows that the printer should show up. Are there some common issues that I should know about with this kind of thing? How do I even start troubleshooting? I see an error in the event log that says "Failed to connect to server" but I can't tell if it's related.
|
|
#
?
Jan 25, 2015 18:18
|
|
|
Dr. Arbitrary posted:I am getting my butt kicked by a print server. Can you ping the server from the client?
|
|
#
?
Jan 25, 2015 18:29
|
|
|
Dr. Arbitrary posted:I am getting my butt kicked by a print server. Computer itself will need the print security right to map the driver if the GPO is targeting a computer, so if the printer has restricted rights add domain computers to it. If that's not the case, check the rights on the print$ share (it should be Everyone/All Rights) and the firewall. Also that you didn't misspell the printer in the GPO. Might want to try mapping the printer without a GPO just to make sure you can.
|
|
#
?
Jan 25, 2015 18:32
|
|
|
hihifellow posted:Computer itself will need the print security right to map the driver if the GPO is targeting a computer, so if the printer has restricted rights add domain computers to it. If that's not the case, check the rights on the print$ share (it should be Everyone/All Rights) and the firewall. Also that you didn't misspell the printer in the GPO. Might want to try mapping the printer without a GPO just to make sure you can. You can right-click deploy via GPO in print server (08 R2 and later).
|
|
#
?
Jan 25, 2015 19:17
|
|
|
incoherent posted:You can right-click deploy via GPO in print server (08 R2 and later). This is how I'm doing it for reference. This is how I'm deploying. hihifellow posted:Computer itself will need the print security right to map the driver if the GPO is targeting a computer, so if the printer has restricted rights add domain computers to it. If that's not the case, check the rights on the print$ share (it should be Everyone/All Rights) and the firewall. Also that you didn't misspell the printer in the GPO. Might want to try mapping the printer without a GPO just to make sure you can. Would this be Point and Print restrictions for the computer account? I'm assuming enabled? Edit: I might try disabled first. If it works, I'll enable and tweak the settings until I get it right. Otherwise, maybe it's a different setting. Dr. Arbitrary fucked around with this message at 19:47 on Jan 25, 2015 |
|
#
?
Jan 25, 2015 19:44
|
|
|
Point and print restrictions are if a user can map a printer that has a driver that brings up a UAC prompt; I always enable it then set it not to prompt. But that doesn't sound like the case since that would show up in the event log.
|
|
#
?
Jan 25, 2015 20:01
|
|
|
First thing in troubleshooting mapping of drives and printers via GPO: manually map the drive or printer and see what happens.
|
|
#
?
Jan 25, 2015 20:03
|
|
|
FISHMANPET posted:First thing in troubleshooting mapping of drives and printers via GPO: manually map the drive or printer and see what happens. Well, I'm an idiot for not trying this first. I bet my policies are perfect now though.
|
|
#
?
Jan 25, 2015 21:00
|
|
|
Got asked a question I have absolutely no idea how to answer. Can you verify that your Active Directory environment is using Kerberos? I have no idea. I know it does, of course it does, but how do I demonstrate that?
|
|
#
?
Jan 26, 2015 23:32
|
|
|
MC Fruit Stripe posted:Got asked a question I have absolutely no idea how to answer. Could run klist.exe, that shows you a list of cached kerberos tickets. If you're not running kerberos you wouldn't get any tickets. If you wanted to get more in depth, stop the netlogon service, fire up wireshark or similar packet monitor, then start netlogon, you'll capture your system negotiating with a DC.
|
|
#
?
Jan 26, 2015 23:35
|
|
|
You could also setup a Linux system and bind it to AD using LDAP and kerberos. Are they asking a particular thing is authenticating with Kerberos instead of NTLM?
|
|
#
?
Jan 26, 2015 23:37
|
|
|
FISHMANPET posted:You could also setup a Linux system and bind it to AD using LDAP and kerberos. Do you use NTLM or Kerberos? We use Kerberos. Excellent, excellent, if you could send a screenshot of that I'd appreciate it. Not a problem! (I have no idea how to do that) One of those, "of course it's Kerberos, go away" moments. I'll find it, but I do love how sometimes it's the easy questions that throw you for a loop.
|
|
#
?
Jan 26, 2015 23:46
|
|
|
Gyshall posted:People posting ITT not knowing about Access Based Enumeration Aaaaaaaaaaaaaaaand it's up! The test group of users is already giving positive feedback to the "I don't have to scroll through thirty folders to find my poo poo" feature.
|
|
#
?
Jan 27, 2015 01:52
|
|
|
How can I work ABE into my org when I want to hide folders that are not relevant to the user, but still give them the option to acess them if necessary?
|
|
#
?
Jan 27, 2015 06:16
|
|
|
|
| # ? May 13, 2024 22:23 |
|
|
Swink posted:How can I work ABE into my org when I want to hide folders that are not relevant to the user, but still give them the option to acess them if necessary? I think you can do something with dollar signs. Like //servera/share$ will be available but hidden.
|
|
#
?
Jan 27, 2015 06:22
|
|